Asuswrt-Merlin 384/NG Changelog =============================== General changes in the 384/NG branch vs 380.xx: - Clear your browser cache after upgrading from 380.xx to 384.xx. - It's generally recommended to do a factory default reset when coming from 380 to 384/NG. - HDD spindown settings moved to the System settings page - SSL certificate management moved to the DDNS page for models that support Let's Encrypt - Nvram settings now have maximum lengths enforced, to protect against buffer overruns. This means that some very long lists of settings might no longer be possible on 384.xx. 384.7 (xx-xxx-xxxx) - NOTE: The RT-AC3200 and RT-AC56U are not supported by this release, Asus hasn't released any updated code for these models. - NEW: Merged with GPL 384_21152. - NEW: Merged RT-AC87U binary blobs + SDK from 382_50702. - NEW: Replaced old ez-ipupdate DDNS client with inadyn. A plugin was developed to fully support Asus's DDNS service. Custom services can now be configured through ddns-start, inadyn.conf, inadyn.conf.add or inadyn.postconf. See the inadyn documentation as many custom services can be defined for it. - NEW: Added support for freedns.afraid.org DDNS service to webui. - NEW: Added option to retrieve WAN IP from either the local interface (like before) or through a remote server (which works through double NAT) for DDNS. - NEW: Display DFS channel info on Wireless Log page. - NEW: Added option to disable checks on unsigned DNSSEC replies. Disabling these will speed up lookups, but it will also remove part of the security benefits of DNSSEC, so it should not be used unless you have a very specific reason to do so. - CHANGED: Updated curl to 7.61.1. - CHANGED: Updated wget to 1.19.5. - CHANGED: Updated openssl to 1.0.2p. - CHANGED: Updated dnsmasq to v2.80test4 (themiron). - CHANGED: Updated nano to 3.1 - CHANGED: All DDNS services now use HTTPS. - CHANGED: Replaced Google Domains DDNS script with inadyn's own plugin. - CHANGED: Moved DNSFilter to the LAN section, to make it clear that it's unrelated to Trend Micro's engine. - CHANGED: Report hostname and IP on Wireless Log page if the info is missing from dnsmasq but available from networkmap. - FIXED: Invalid dnsmasq config when setting DNSFilter to Router mode and having IPv6 enabled (themiron). - FIXED: dnsmasq crashing on RT-AC86U with IPv6 Stateful mode (themiron). - FIXED: client table would be shown twice on the VPN Status page if the only connections to an OVPN server were invalid clients (like a port scanner) - FIXED: DDNS forced updates after "x" days wouldn't be fired. - REMOVED: Ez-ipupdate DDNS client (replaced with inadyn). Update your scripts if you were relying on it. 384.6 (25-July-2018) - NOTE: The RT-AC87U is not supported in this release, as Asus hasn't released any updated code for that model. - NEW: Merged with GPL 384_21045/382_50624. - NEW: Added support for the "-p" option to netstat. - NEW: Added setting to enable DNS rebind protection, on the DHCP page. This works by rejecting upstream server responses that would point at a private IP. - CHANGED: Updated nano to 2.9.8 - CHANGED: Updated curl to 7.60.0 (contains security fixes) - CHANGED: Allow selecting text (for copy/paste operations) on AiProtection pages. - CHANGED: Added AES-*-GCM ciphers to the OpenVPN legacy ciphers (so they can be explicitely used without using NCP). - CHANGED: Updated dnsmasq to 2.80test2-17-g51e4eee (themiron) - CHANGED: Since dnsmasq 2.80, dnsmasq now ensures that unsigned DNS replies received with DNSSEC enabled are legitimate. If your upstream DNS doesn't support DNSSEC, this means all replies from signed zones will be considered invalid. Make sure you only enable DNSSEC if your upstream DNS servers do support it. This behaviour is a bit slower, but far more secure than the old default. - CHANGED: Network Tools -> Netstat output also report program/PID - CHANGED: Updated CA bundle to June 20th version. - FIXED: IPv6-related issues on non-HND platform (themiron) - FIXED: Couldn't log on WTFast if accessing the router webui over https. - FIXED: USB modem support code failing to properly pass parameters to the kernel module (themiron) - REMOVED: WTFast support for RT-AC88U/RT-AC3100/RT-AC5300, as it's incompatible with recent versions of curl (and has been broken for quite some time). Not gonna revert back to a 7 years old curl version just for wtfast. 384.5 (13-May-2018) - NEW: Merged withh GPL 384_20648 - NEW: Merged RT-AC68U, RT-AC5300 binary blobs from 384_20648 - NEW: Merged RT-AC86U SDK and binary blobs from 384_20648 - NEW: service-event script, executed before any service call is made. First argument is the event (typically stop, start or restart), second argument is the target (wireless, httpd, etc...). Note that this script will block the execution of the event until it returns. - NEW: Added USB HID modules (for use with devices such as UPS) - NEW: Added ip6tables-save command. - CHANGED: Updated OpenVPN to 2.4.6. - CHANGED: Updated Dropbear to 2018.76. - CHANGED: Updated Openssl to 1.0.2o. - CHANGED: Updated miniupnpd to version 2.1 (20180508). - CHANGED: Updated nano to 2.9.5. - CHANGED: Moved RT-AC86U to the same Busybox version (1.25.1) as other models. - CHANGED: Revised OpenVPN server options: o Removed "TLS Reneg time" (rarely used, can manually be set as a custom option) o Removed "Server Poll" (which didn't work properly), and reimplemented watchdog service, hardcoded to 2 mins frequency. o Removed "Push LAN" and "Redirect Gateway", replaced with new Client Access setting o Removed Firewall setting (firewall rules are now always created, and the broken External mode was fixed and integrated into the new Client Access setting). You can now use the postconf script to override it. o Removed option to respond to DNS queries - enabling the option to Push DNS will also handle it o Added new Client Access setting to select between three types of access: LAN only, WAN only (will block access to the LAN, including the router itself) and LAN + WAN. o Keys and certificates can now be up to 7999 characters long. - CHANGED: Revised OpenVPN client options: o Reorganized settings into groups o Removed "Poll Interval" (which didn't work properly), and reimplemented watchdog service, with a hardcoded frequency of 2 mins. o Removed Firewall setting (firewall rules are now always created). You can now use the postconf script to override it. o Modified behaviour of Connection Retry. Instead of taking a value in seconds that only affected resolution failure, it now takes a number of attempts, and affects connection failures. Resolution failures will now retry for an infinite period of time (the default OpenVPN value). o Added "refresh" link which can be clicked to re-query the public IP endpoint of the tunnel o Keys and certificates can now be up to 7999 characters long. - CHANGED: Removed option to resolve names on the Log -> Connections page. That functionality was added to the Network Tools -> Netstat page instead. - CHANGED: Re-designed Log -> Connections page into a table with sortable fields - click on a column header to sort on that field. - CHANGED: From now on, setting the router to act as a master browser or a WINS server will also require you to enable sharing. This will ensure that users understand that enabling either of these settings requires disk sharing to also be enabled (which it was already silently doing before). - CHANGED: Moved "Beta firmware" option to the Tools -> Other Settings page - CHANGED: Improved layout of the Firmware Update page - CHANGED: WPAD behaviour (sending a carriage return on DHCP option 252) can now be controlled in the Tweaks section. - CHANGED: Blocking custom scripts such as service-event and pre-mount will now wait a maximum of 120 seconds before resuming normal operations, to prevent accidental lockouts. - CHANGED: Autofill start/end time for DST when selecting a timezone (LostFreq) - FIXED: Some dnsmasq issues related to DNSSEC were fixed, including CVE-2017-15107. (backported from dnsmasq 2.79 by John Bacho) - FIXED: Restoring an OpenVPN instance to default values would fail to disable its Start with WAN setting. - FIXED: Hardware authentication failure for the RT-AC3100 and RT-AC5300. - FIXED: Minidlna web status page could no longer be enabled. - FIXED: CVE-2017-9022, CVE-2017-9023 and CVE-2017-11185 in Strongswan (odkrys) - FIXED: Various issues with download traffic in Traditional QoS (Cédric Dufour) - FIXED: TCP timeout values couldn't be changed on the Tools -> Other Settings page. - FIXED: Security issue related to webui logging in (Asus bug) 384.4_2 (24-Mar-2018) - CHANGED: Added visual warning when manually enabling webui access on WAN. Doing so carries serious potential security risks, as Asuswrt's web server code should not be considered hardened enough for this. - FIXED: Security issue in httpd (CVE-2018-8879). - FIXED: Potential security issue in httpd related to QiS. - FIXED: Minor webui issue in the QoS overhead menu. 384.4 (16-Mar-2018) - NEW: Merged with GPL 384_20379 (with some binary components from 382_50010 and 384_20308 depending on models) - NEW: Added support for the RT-AC5300. - NEW: Added support for the RT-AC87U. - NEW: Added IPSEC support to the RT-AC86U. - NEW: Support the new Entware 64-bit repo on the RT-AC86U. To switch to the new repository, re-run the entware-setup.sh script. You will need to reinstall your apps (your old config files are backed up on your USB disk). - CHANGED: Tightened security around some config files. - CHANGED: Allow guest networks settings for AP isolation and SSID broadcast to be set separately from their parent interface (John Bacho) - CHANGED: Samba protocol support can now be set to SMBv1, SMBv2, or SMBv1 + SMBv2 (the new default). This will result in a performance drop on all models but the RT-AC86U, but will be more secure. Ideally, people should change it to SMBv2 only, and then reboot all their client devices to start using only the new protocol. - CHANGED: Re-added some of the logging sd-idle used to do in 380.xx. - CHANGED: Switched to the new Entware repo for armv7 models. To upgrade, run the following commands TWICE: opkg update; opkg upgrade - FIXED: Resetting an OpenVPN client to default settings might revert back after a reboot. - FIXED: log flood from lldpd about "unable to send packet on real device" (moved to debug level) - FIXED: Potential racing condition that could lead to two instances of miniupnpd running at boot time. - FIXED: Single-char hostnames were rejected by DHCP static leasees page. (theMIROn) - FIXED: AiCloud could sometime generate a new SSL certificate that would overwrite the one stored in jffs. Now, AiCloud can also use the same one uploaded by the user for the main webui, or the Let's Encrypt one. - REMOVED: Telnet server. Please use SSH for console-based management. - REMOVED: SNMP support on the RT-AC86U (incompatible) - REMOVED: Merlin NAT loopback mode (was increasingly problematic as the firmware firewall handling became more complex) 384.3 (14-Feb-2018) - NOTE: To reduce confusion following the version bump to 384, the current Github repository was renamed from asuswrt-merlin.382 to asuswrt-merlin.ng (for New Generation). It's recommended that you update your local repository if you're a developer, for example by running: git remote set-url origin \ email@example.com:RMerl/asuswrt-merlin.ng.git - NOTE: AiMesh is currently not supported. Feasability of supporting it is still under evaluation. - NEW: Merged with GPL 384_10007 - NEW: Added support for RT-AC3200 (merged SDK 7.x-main + binary blobs from 382_19466). - NEW: nano can now be configured through /jffs/configs/nanorc - CHANGED: Allow up to 5 OpenVPN clients on RT-AC3200. - CHANGED: Updated nano to 2.9.3. - FIXED: Some routers coming from 380.xx would incorrectly report a new firmware available at boot time. - FIXED: Some broken clients (like Samsung TVs) try to use reserved hostnames - ignore these. (theMIRon) - FIXED: Added missing IPv6 local hostnames (theMIRon) - FIXED: Issues withh DNS & broadcast relay for pptp clients (theMIRon) - FIXED: Fixed CVE-2018-5721 in httpd (Merlin & theMIROn) - FIXED: helper.js wasn't properly handling parentheses (John9527) - FIXED: NAT acceleration of PPPoE for some models (fix backported from 382_50010) - FIXED: Networkmap-related issues on some models (missing tx/rx rate and such). - FIXED: ipset could cause the router to crash on the HND platform (john9527) - FIXED: Network Service Filter wasn't working when in Blacklist mode. - FIXED: Repeater mode (backport from 384_20287) 382.2 Beta (17-Jan-2018) - NOTE: Due to various issues with GPL 382_18991, the 382.2 release is being dropped, and work is moving on to the next version. 382.2 beta releases remain available for those who still wish to use it (especially RT-AC56U users for whom there is no ETA as to when Asus will release the next GPL for that particular model.) Known issues include lack of PPPoE HW acceleration and Adaptive QoS sometimes failing to start at boot among others. - NOTE: The official IRC channel has moved to Freenode (#asuswrt). - NEW: Merged with GPL 382_18991. Most notable changes (will vary between models): - Added IPSec VPN server - Added IFTTT and Alexa support - Let's Encrypt support (DDNS page) - Better support for some longer settings (RT-AC86U) - NEW: Merged HND SDK + binary components from 382_18848 (RT-AC86U) - NEW: Added IPSec VPN status on the VPNStatus page. - NEW: Added support for RT-AC56U and RT-AC68U (and all of its variants) - NEW: Enabled support for Let's Encrypt on RT-AC56U and RT-AC68U (in addition to RT-AC88U/3100) - CHANGED: Moved HTTPS cert management to the DDNS page (where Asus has put theirs, as Let's Encrypt is tied to the DDNS configuration) - CHANGED: Updated openssl to 1.0.2n. - CHANGED: Updated tor to 0.2.9.14. - CHANGED: Updated nano to 2.9.1. - CHANGED: Updated curl to 7.57.0. - CHANGED: Increased max length for OpenVPN custom settings from 170 to 510 characters on RT-AC86U. - CHANGED: Updated miniupnod to Github snapshot 20171212. - CHANGED: OpenVPN firewall rules are now processed after the various security chains (access restriction, network service firewall, etc...), ensuring OVPN traffic no longer bypasses them. - FIXED: httpd crash on certain web pages if there are no Ethernet clients connected - FIXED: DNSFILTER rules would have priority over OPENVPN Client rules (when client has DNS set to Exclusive mode). - FIXED: traffic routing from the router itself would fail when restarting the firewall while using an ovpn client with policy rules in effect. - FIXED: Dashes were rejected when used in an OpenVPN policy client description. - REMOVED: Removed option to select between active and passive scan mode for a site survey (that code is now closed source and therefore that option can no longer be implemented). 382.1_2 (2-Dec-2017) - NEW: Added custom/add/postconf support for mcpd.conf (RT-AC86U) - CHANGED: Updated odhcp6c to latest upstream version (patch by theMIRon) - CHANGED: cifs and xt_set kernel modules will get automatically loaded as needed. - CHANGED: Updated openssl to 1.0.2m. - CHANGED: Updated libogg to 1.3.3 and libvorbis to 1.3.5. - CHANGED: Merged wireless components from GPL 382_18991 for RT-AC88U and RT-AC3100 (should in theory fix KRACK issue on these two models) - FIXED: allow IA_NA mode downgrade with forced IA_PD (for ISPs with broken IPv6 support) (patch by theMIRon) - FIXED: SSH brute force protection would break WAN connectivity (RT-AC86U) - FIXED: Wrong Trend Micro signature updater was used when compiling with FW update checker enabled. - FIXED: QoS Upload chart missing on PPPoE connections with Adaptive QoS enabled. - FIXED: client and vendor id fields on WAN page would fail to accept new values longer than 32 characters. - FIXED: The Desc field in the OpenVPN policy section would reject ":" if field contained a MAC address. - FIXED: Security issues CVE-2017-15275, CVE-2017-12163 and CVE-2017-12150 (backported to Samba 3.6 and 3.5) - FIXED: DHCP static lease list would refuse any change if the list of leases+hostnames was longer than 1000 chars due to an HND platform limitation (RT-AC86U) 382.1 (12-Nov-2017) Asuswrt-Merlin 382 was rebuilt from a clean GPL codebase, as merging the new 382 GPL on top of the existing code proved too difficult. For simplicity, the following abbreviations are used below: AM380 = Asuswrt-Merlin 380.xxx AM382 = Asuswrt-Merlin 382.xxx Asus380 = Asus's 184.108.40.206.380_xxxx Asus382 = Asus's 220.127.116.11.382_xxxx AM382.1 is based on AM380.68_4 merged on top of a clean 18.104.22.168.382_15098 GPL. At this time, only the RT-AC86U, RT-AC88U and RT-AC3100 are supported by AM382. Other models will gradually be moved to AM382 as Asus upgrade them to the new 382 code base (and GPL code becomes available for them). This changelog will focus on changes that happened between AM380.68 and AM382.1, or between Asus382_16466 and AM382. Also note that the primary download site was changed to Sourceforge, due to numerous issues with Mediafire. Onedrive will be the oficial mirror to the SF.net download site. - NEW: Moved to Asus382 codebase. Some of the most important changes between Asus380 and Asus382: - New Trend Micro DPI engine, with two-way IPS - New networkmap service (now closed source) - New OpenVPN implementation (now closed source, not used by AM382) - Numerous security enhancements throughout the code - NEW: Merged with GPL 382_16466 (RT-AC86U). - NEW: Added support for the RT-AC86U and its Broadcom HND platform (HND SDK from GPL 382_18219). Note that IPTraffic is not supported by this model due to its newer Linux kernel. - NEW: Rewrote part of the OpenVPN implementation, as Asus's own is now closed source. Asuswrt-Merlin's OpenVPN code will now be independent of Asus's. - NEW: Added support for inline CRLs when importing an ovpn file - NEW: Added support for fullcone NAT (RT-AC86U) - NEW: Added WiFi Radar (Broadcom's Visualization app) in the Wireless section. You must enable data collection on its Configuration page for all charts to work properly. (RT-AC86U) - NEW: Added option to disable the Asus NAT tunnel service under Other Settings -> Tweak. Not quite sure what this partly closed source service is for, but it eats a fair amount of CPU and RAM. - NEW: Option on OpenVPN Server page to quickly choose between pushing LAN or LAN + Internet access (ported from Asus382) - NEW: Option to select the bitsize to use (1024 or 2048) when automatically generating the OpenVPN server key/certs (ported from Asus382) - CHANGED: Updated wget to 1.19.2 (fixing connectivity to some TLS 1.2 servers) - CHANGED: SSH host keys are now stored in /jffs/ssl/ rather than nvram. - CHANGED: SMB2 is enabled by default on RT-AC86U (no performance penalty on that platform) - CHANGED: Moved UPnP Secure Mode setting from the Tweaks section to the WAN page, next to other UPnP settings. - CHANGED: Moved "Modify key and certs" link to its own dedicated row and made it a button for improved visibility (OpenVPN client & server pages) - CHANGED: Updated OpenVPN to 2.4.4. - CHANGED: The firmware version check behaviour was slightly changed. The "Get Beta" checkbox will now check both the Beta and the Release channels for new version availability. Automatic scheduled checks will still only check the Release channel. - CHANGED: Layout improvements to the SNMP, Login, and Operation Mode pages (patches by Alin Trăistaru) - CHANGED: Report both the local client IP as well as the public/visible IP on the OpenVPN client page once a client is connected (same info that was already available on the VPN Status page). - CHANGED: Moved Disk spindown settings to the System page, to match with Asus382 which now offers this feature. - REMOVED: Obsolete/exotic HMAC digests for OpenVPN servers (to match with Asus' own supported list) - REMOVED: "Custom" OpenVPN authentication mode (which probably nobody used or even understood).